5 minute read 10 May 2019
Cybersecurity: how to help protect a family office

Cybersecurity: how to help protect a family office


Robert (Bobby) Stover, Jr.

EY Americas Family Office Leader

Leader and advisor in helping family businesses navigate the challenges they face. Instructor and speaker about business succession and wealth transfer.

5 minute read 10 May 2019

Family businesses face many cybersecurity challenges. Learn how you can protect your company.

Cybersecurity is a hot topic among family offices, and for good reason. The American Institute of Certified Public Accountants (AICPA) reported in 2015 that 25% of Americans have been victims of information security breaches in the last year, which is double the rate of the prior year.1 Verizon reported in 2012 that 71% of cyber attacks occur at firms with fewer than 100 employees,2 while the National Cyber Security Alliance states that small businesses that get hacked have a 60% chance of going out of business within six months.3

Most people admit to being concerned about cybersecurity, but at the same time, do not understand it or know what they should do about it.

Why should a family be concerned about potential cyber intrusions? At its core, there are three key concerns:

  1. Theft. Someone might access bank, credit, investment or other financial accounts. Even if the family refuses to use online banking, their money may be at risk through phishing attacks, automatic teller machine (ATM) fraud or someone accessing their information at the IRS.
  2. Privacy. Hackers may harm the family reputation (or its business) by revealing details about the family wealth, while thieves may use information to plan a robbery or kidnapping.
  3. Maliciousness. Just as teenagers might spray-paint graffiti on a building, hackers may access data or websites just to delete or destroy data, or perhaps to redirect users to a different website. This may cost the family privacy, in addition to the cost of repairing the websites.

Ten steps toward family office cyber protection

With so many risks, and knowing that most wealthy family members have very little patience for security and restrictions, we have developed a 10-point plan that family offices can use to protect the family’s technology. This plan is designed to be reasonable for the family, while limiting their exposure to the most common threats. Some high-profile families may choose to exceed these recommendations.

1. Technology inventory

The family office should maintain an inventory of routers (don’t forget those at each family member’s house), computers, tablets, phones and other devices. The office needs to maintain these devices and make sure that each one has updated antivirus, firewall and similar software.

As part of the maintenance, the office should make certain that software on the systems, such as operating systems, Microsoft Office, browsers and accounting tools, is kept current. In addition, the inventory should track databases and the types of data contained therein. Most important are databases with client information, but also anything that thieves can exploit.

2. Written cyber policy

Family offices should have a written cyber-protection policy, including a connected-device policy, a password policy, social-media policy and payment-authorization policy. Families rarely have penalties for violating these policies, but by writing them down, communicating them and providing education, the family understands and thinks about their behavior.

3. Cybersecurity insurance policy

If the family office oversees family businesses, blog sites or foundations with websites, they should consider cybersecurity insurance. Such policies can cover:

  • Liability for loss of data, such as client personal data or credit card details
  • Remediation costs, such as investigation, notification and repairs
  • Settlement costs, such as client-monitoring services, payments or regulatory fines

4. Vulnerability assessment

Vulnerability assessments identify the weaknesses in a system. For a family office, this should include the family office, businesses overseen by the office (including a foundation office) and each family member’s home systems. Most offices lack the expertise to conduct these assessments internally, and thus contract with an outside vendor. Such assessments should be conducted at least annually.

5. Encryption tools

If confidential information is sent in standard emails, the data passes through the internet and could be intercepted and read by hackers. One way to prevent this is to use email encryption tools. These tools encode the message before it is sent, and the receiver has a similar tool to decrypt and read the secure message. If someone intercepts the message, it will be indecipherable unless they have the proper decryption tool. 

Wealthy families have always been ripe targets for thieves and vandals, and the rise of the internet opened additional avenues for criminals to operate — often with a cloak of anonymity.

6. Identity protection

Despite all of the best efforts, there remains a risk that a family member’s identity could be stolen. There are many firms that will monitor any new account openings, credit requests and similar activity. They notify clients of any activity, giving them the opportunity to validate the request and prohibit transactions, if desired. They also can create a freeze, such that new accounts cannot be opened. If someone’s identity is stolen, these firms are experienced in helping the person recover from such theft. Many family offices provide such services for each family member.

7. Cyber education

The family office can use the most robust tools and vendors available, but they need to be paired with education on the risks for family office staff and family members. Cyber education should be a key part of annual family meetings to help family members understand why the family technology policies were created, and what can happen if they are not followed.

8. Data backups

While data backups can be done on thumb drives or external hard drives, it is generally preferable for backups to be stored off-site, which frequently requires a cloud-based provider. If a device is lost or stolen, or if a hacker destroys data on a device, the family can restore the data from a backup version.

9. Background checks

The family office should conduct criminal background checks annually on family office staff and vendors. Many offices conduct such checks before hiring staff, but then never do so again. When using a vendor firm (including technology providers, consultants and household staff), the firm itself may perform background checks on the staff, which may be sufficient. The office should seek proof of such checks, and if not performed, then do so themselves.

10. Network monitoring

Family offices should have staff or a vendor monitoring the family office network, business networks and family home networks, looking for signs of an intrusion. Very few family offices have the proper staff to do this internally, so they should rely on trusted outside firms. Such firms monitor systems 24 hours a day and can shut them down in the event of an attack.

  • Show article references

    1“Big Data and Business Analytics Revenues Forecast to Reach $150.8 Billion This Year, Led by Banking and Manufacturing Investments, According to IDC,” IDC website, https://www.idc.com/getdoc.jsp?containerId=prUS42371417, accessed 9 November 2017.
    2 “The Rise of AI in Financial Services - research brief,” Narrative Science, 2017.


An explanation of cybersecurity challenges family offices face and a measured approach to address these challenges.

About this article


Robert (Bobby) Stover, Jr.

EY Americas Family Office Leader

Leader and advisor in helping family businesses navigate the challenges they face. Instructor and speaker about business succession and wealth transfer.